Configuring Message-Level Security 2-91 sp:EncryptedParts sp:Body sp:EncryptedParts wsp:ExactlyOne wsp:Policy

2.21.2.4 Smart Policy Selection for a Standalone Client

You can set the policy selection preference via the stub property. The following example sets the stub property for security, compatibility, and performance preferences: stub._setPropertyWLStub.POLICY_SELECTION_PREFERENCE, WLStub.PREFERENCE_SECURITY_COMPATIBILITY_PERFORMANCE; If the policy selection preference is not set, then the default preference None is used.

2.21.3 Multiple Transport Assertions

If there are multiple available transport-level assertions in your security policies, WebLogic Server uses the policy that requires https. If more than one policy alternative requires https, WebLogic Server randomly picks one of them. You should therefore avoid using multiple policy alternatives that contain mixed transport-level policy assertions.

2.22 Example of Adding Security to MTOM Web Service

As described in Optimizing Binary Data Transmission Using MTOMXOP, SOAP Message Transmission Optimization MechanismXML-binary Optimized Packaging MTOMXOP defines a method for optimizing the transmission of XML data of type xs:base64Binary or xs:hexBinary in SOAP messages. This section describes a combination of two examples that are already included with WebLogic Server: ■ WL_ HOME \samples\server\examples\src\examples\webservices\wss1.1 ■ WL_HOME \samples\server\examples\src\examples\webservices\mtom These existing examples include functional code and extensive instructions.html files that describes their use and function, how to build them, and so forth. This section does not repeat that information, but instead concentrates on the changes made to these examples, and the reasons for the changes.

2.22.1 Files Used by This Example

The example uses the files shown in Table 2–1 . The contents of the source files are shown in subsequent sections. Note: The example shows adding security to a JAX-RPC Web service. In this release, MTOM with WS-Security is supported for both JAX-WS and JAX-RPC. 2-92 Securing WebLogic Web Services for Oracle WebLogic Server

2.22.2 SecurityMtomService.java

The SecurityMtomService.java JWS file is the same as that in WL_ HOME \samples\server\examples\src\examples\webservices\mtom\MtomS ervice.java, with the additional Policy annotations shown in bold. Example 2–25 SecurityMtomService.java package examples.webservices.security_mtom; import weblogic.jws.Binding; import weblogic.jws.Policy; import weblogic.jws.Policies; import weblogic.jws.Context; import weblogic.jws.WLDeployment; import weblogic.wsee.jws.JwsContext; import weblogic.wsee.mtom.api.MtomPolicyInfo; import weblogic.wsee.mtom.api.MtomPolicyInfoFactory; import weblogic.wsee.policy.framework.PolicyException; import javax.jws.WebService; import javax.jws.WebMethod; import java.rmi.RemoteException; Sample to MTOM with JAX-RPC Table 2–12 Files Used in MTOMSecurity Example File Description build.xml Ant build file that contains targets for building and running the example. configWss.py WLST script that configures a Web service security configuration. This file is copied without change from WL_ HOME \samples\server\examples\src\examples\webs ervices\wss1.1 MtomClient.java Standalone client application that invokes the MTOM Web service. This file uses the JAX-RPC Stubs generated by clientgen, based on the WSDL of the Web service. SecurityMtomService.jav a JWS file that implements the MTOM Web service. The JWS file uses the Policy annotation to specify the WS-Policy files that are associated with the Web service. clientkeyStore.jks Client-side key store, used to create a client-side BinarySecurityToken credential provider. This file is copied without change from WL_ HOME \samples\server\examples\src\examples\webs ervices\wss1.1\certs serverkeyStore.jks Server-side key store, used to create a Server-side BinarySecurityToken credential provider. This file is copied without change from WL_ HOME \samples\server\examples\src\examples\webs ervices\wss1.1\certs testServerCertTempCert. der Server-side certificate, used to create a client-side BinarySecurityToken credential provider. This file is copied without change from WL_ HOME \samples\server\examples\src\examples\webs ervices\wss1.1\certs Configuring Message-Level Security 2-93 author Copyright © 1996, 2008, Oracle andor its affiliates. All rights reserved. WebService BindingBinding.Type.SOAP12 enable WSS + MTOM for this web service by adding the following canned policy files Policies{ Policyuri = policy:Mtom.xml, Policyuri = policy:Wssp1.2-2007-SignBody.xml, Policyuri = policy:Wssp1.2-2007-EncryptBody.xml, Policyuri = policy:Wssp1.2-Wss1.1-EncryptedKey.xml } public class SecurityMtomService { public SecurityMtomService { } Input is sent as XOPed binary octet stream param bytes input bytes return A simple String WebMethod public String echoBinaryAsStringbyte[] bytes { return new Stringbytes; } Output is sent as as XOPed binary octet stream param s a simple String return byte[] WebMethod public byte[] echoStringAsBinaryString s { return s.getBytes; } input byte[] is sent as as XOPed binary octet stream param array input byte[] array return String[] WebMethod public String[] echoBinaryArrayAsStringArraybyte[] array { String[] strings = new String[1]; strings[0] = new Stringarray; return strings; } } You can specify the Policy annotation at both the class- and method- level. In this example, the annotation is used at the class-level to specify the predefined WS-Policy files, which means all public operations of the Web service are associated with the specified WS-Policy files. 2-94 Securing WebLogic Web Services for Oracle WebLogic Server You use the Policies annotation to group together multiple Policy annotations. You can specify this annotation at both the class- and method-level. In this example, the annotation is used at the class-level to group the four Policy annotations that specify the predefined WS-Policy files: ■ The predefined WS-Policy file Mtom.xml enables MTOM encoding. ■ As described in Section 2.16.2, Protection Assertion Policies , the Wssp1.2-2007-SignBody.xml policy file specifies that the body and WebLogic system headers of both the request and response SOAP message be digitally signed. ■ The Wssp1.2-2007-EncryptBody.xml policy file specifies that the body of both the request and response SOAP messages be encrypted. ■ The Wssp1.2-Wss1.1-EncryptedKey.xml symmetric binding policy uses the WS-Security 1.1 Encrypted Key feature. The client application invoking the Web service must use the encrypted key to encrypt and sign, and the server must send Signature Confirmation.

2.22.3 MtomClient.java